Changeset 95
- Timestamp:
- 30/05/05 14:45:55 (4 years ago)
- Files:
-
- TODO (modified) (1 diff)
- admin.lib.php (modified) (5 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
TODO
r94 r95 4 4 ---------------- 5 5 * Fix login process - password errors currently result in the login box being printed in the wrong place 6 * CRITICAL - any user can edit any other user's blog entries 7 * SEVERE - blog entry short-titles should not have to be unique across the whole blog system - they should use the username too 6 7 Bugs that have been fixed 8 ------------------------- 9 * Fixed in rev 95: CRITICAL - any user can edit any other user's blog entries 10 * 95: SEVERE - blog entry short-titles should not have to be unique across the whole blog system - they should use the username too 8 11 9 12 New Features admin.lib.php
r93 r95 236 236 } 237 237 //sanitise subject (make sure it's not a number!) 238 if (isset($_POST['subject']) && trim($_POST['subject']) != "" && (int)$_POST['category'] != 0) {238 if (isset($_POST['subject']) && trim($_POST['subject']) != "") { 239 239 $subject = addslashes(trim(strip_tags($_POST['subject']))); 240 240 } else { … … 250 250 if (!$this->inputError) { 251 251 //check to see this post exists 252 $sql = db_query("SELECT id from entries where shortsubject = '".$id."' ;");252 $sql = db_query("SELECT id from entries where shortsubject = '".$id."' AND user_id='".$this->id."';"); 253 253 $sqlNum = db_num_rows($sql); 254 254 //yes?, we can update it then.. 255 255 if ($sqlNum == 1) { 256 $sql = db_query("UPDATE entries SET category = {$category}, subject = '{$subject}', body = '{$body}' WHERE shortsubject = '{$id}' ;");256 $sql = db_query("UPDATE entries SET category = {$category}, subject = '{$subject}', body = '{$body}' WHERE shortsubject = '{$id}' AND user_id = '".$this->id."';"); 257 257 if (!$sql) { 258 258 error(2,"Database commit failed - ".db_error()); … … 277 277 { 278 278 $id = $this->blog->makeCleanString($id); 279 $sql = db_query("SELECT subject, category, body, shortsubject from entries where shortsubject = '".$id."' ;");279 $sql = db_query("SELECT subject, category, body, shortsubject from entries where shortsubject = '".$id."' AND user_id = '".$this->id."';"); 280 280 $sqlNum = db_num_rows($sql); 281 281 //yes? we can update it then.. … … 283 283 $row = db_getrow($sql); 284 284 $this->printEntryForm($row,true,true); 285 } 285 } else { 286 error(2, _("Could not find the requested entry.")); 287 } 286 288 } 287 289 … … 308 310 echo "<select name=\"category\" id=\"category\">"; 309 311 //pull in the list of catogories from the database 310 $sql = db_query("SELECT id, name FROM categories ");312 $sql = db_query("SELECT id, name FROM categories ORDER BY name ASC;"); 311 313 while ($sqlRow = db_getrow($sql)) { 312 echo "<option value=\"{$sqlRow['id']}\"".(((int)$row['category'] == $sqlRow['id']) ? " selected" : "").">{$sqlRow['name']}</option>";314 echo "<option value=\"{$sqlRow['id']}\"".(((int)$row['category'] == $sqlRow['id']) ? " selected=\"selected\"" : "").">{$sqlRow['name']}</option>\n"; 313 315 } 314 316 echo "</select>";
